1

Silvio MicaliMIT

Key Management andFair Electronic Exchange

Thesis

Key Management can and will be an enabler

of Other Crypto Technologies:

Fair Electronic Exchange

3

What?

EXCHANGE

A has a B has b

A gets b B gets a

ELECTRONIC

(= string) (= string)

FAIR

IF and only IF

YES endings (Complete transaction)

A Bab

(if both want) (if ≤ 1 wants)

A B??

NO endings (Incomplete transaction)

A B?b

A Ba?

4

Running Example: Certified E-Mail

Crucial to Electronic Commerce but Not Easy (even with digital signatures):

Recipient R gets message IF and only IF

Sender S gets R’s receipt for it

S R

m

S R

m

SIGR(m)

is Wishful not Fair :

Bye!

S R…

Still Unfair!

More rounds

(Whoever gets first what he wants may stop)

Q: Trusted Parties ?A: No Thanks !

5

Why Not?

m

SIGR(m)

Trusted party = Post Office

S PO R

m

SIGR(m)Bad:

0. 4 mssgs1. Congestion (at PO)2. Cost ($1/messg)3. Liabilities ($10/mssg)

Then What?

When PO goes down all receipts are lost. Massive Law Suit!

6

Virtual Trusted Parties!

Yet:

IF S and R do not fairly complete their transactionTHEN the TP will (ex post) complete itEXACTLY as S and B would have done if honest!

What does it mean??

♦ TP is off-line

♦ TP is unaware that S and R are transacting

♦ TP is unaware of S’s message and R’s signing key

If S & R honest

S

PO

R

receipt message

Else:

what you havemessage

receiptreceipt S

? R

either

Else: receipt S

message R

either

? S

message R

or

Else: what you have

message

receipt

More Specifically… (for Certified Electronic Mail)

HOW?

8

Basic CEM w/ Invisible PO

details

PO

S RM

pk (sk)

EPK(M,S,R) = σ

SIGR(σ) = yM

receiptmessage

PO’s public and secret encryption keys

9

Basic CEM w/ Invisible PO

details

PO

S RM

pk (sk)

EPO(M,S,R) = σ

SIGR(σ) = y

M,S,R

M

σ & y

receipt

y M

message

In Sum

S & R Honest: no PO!Else: cheating uselessThus: little or no cheating (1 ‰)

♦ Very Simple: Typical transaction has 3 messages rather than 4♦ No congestions: Typical transactions are peer-to-peer

♦ Very Economical: Infrastructure / Liability costs are 1,000 less: TP handles just 1‰ of the transactions. (A single laptop can handle the whole country)

Great Efficiency (in all senses)

Go to Market

IF you pay PO $10/month, can send unlimited certified e-mails for free, and if help is requested PO will fairly complete the transaction for $11. ELSE: good luck!”

Win-WinUser: Better paying $11 after the fact when I know I am dealing

with a dishonest user, than paying $11 all the time just in case the other user is dishonestPO: I get $10/month for doing nothing, and get paid extra when I have to work!

what do I gain?

12

1 claim$ 1M

$1M per claim

traditional trustee(1 of the few)

(reserves=$2M)

(1 of the thousands)

$1M / claim

invisible trustee

Turing test

($1B reserves to prove it)

Small TPs = Big TPs

13

From Certified E-Mail to Everything

Same CEM Solution immediately implies• Software Distribution• Content Downloading• (Sarbanes-Oxley)

Slight Variation implies Fair Contract Signing

General Solution implies All Fair Electronic Exchange!

History

Visible TPs

…Micali ’95 (U.S. No. 5,666,420)

Asokan Schunter Waidener ’97 (’96)Asokan Shoup Waidener ’00

Blum ’81 Even Goldreich Lempel ’81Luby Micali Rackoff ’83

…

Rabin ’81Ben-Or Goldreich Micali & Rivest ’85

Key Management

Mathematical Success = all on a single key

Concrete Wisdom = 1 key 3 keys (2-out-of-3)+

key management !

Practical because: PO rarely used!

Recommended because: People are People!=

To reveal skTo decrypt Epk(m)

Othe Enablements

Secure, Distributed, Compact

Storage

Other talk, Other Patents, Other Day

In Sum: Crypto Keys are great friends

And (proper) key management an even better one!

17

Thank You!